The European Commission will in June push for access to data stored in the cloud by encrypted apps, according to EU Justice Commissioner Věra Jourová.
Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline "three or four options" that range from voluntary …

COMMENTS

Page:

tech companies and security experts say that if an encryption backdoor is created it will be impossible to ensure that only the "good guys" use it, and so effectively undermines the whole system.

Correct for an end-to-end encrypted system. Incorrect for a store and forward encrypt-to-provider, encrypt-from-provider system.

She cannot do anything against physical persons and corporations using end-to-end crypto themselves. That horse has bolted 20 years ago when Phil Zimmerman gave PGP to the world.

Now, provider assisted is a different story. She can do that TODAY.

The law as it stands is an ass and being a dumb ass it does not give a flying f*** about the application design disallowing legal intercept. It insists that legal intercept is provided and the way it is formulated in half of the Eu allows the law to take a big hatchet to any provider-run end-to-end encrypted messaging (once again - it cannot do anything about private persons today). By the way, by disallowing USA corporations to take any cases with them to California, Eu has already done half of the work on this one. The remaining half is a court case which will happen sooner or later (when someone finally explains the retarded politicos that the law has already taken care of this).

So all it takes is ONE court case to prove that legal intercept requirements apply to Facebook, Google, Telegram and friends. We will be back to using PGP in email on the next day after that.

So, in fact, she does not even need to legislate. She just needs to pick one of the Eu countries to start the court case.

"She cannot do anything against physical persons and corporations using end-to-end crypto themselves. That horse has bolted 20 years ago when Phil Zimmerman gave PGP to the world.".

Yes she can. That's the big advantage to controlling the Police force and a having access to an army. It just requires simple legislation saying anyone sending packets that can't be decoded (encrypted or random, doesn't matter) goes to prison.

Yes she can. That's the big advantage to controlling the Police force and a having access to an army

Shall I refer you to the priceless clip from Shrek 1 - "You and what army?" or you will peruse it without referral. She is an Eu commissioner - she has no army and whatever she does requires a consensus of member states.

But creating legislation that bans the use of crypto would be within her powers.

Actually - no. Crypto nowdays is math, an Eu commissioner is not the Indiana legilsative, it cannot decree that Pi 3.00.

What she can decree and what she can refine the requirements towards providers for legal intercept to make Telegram, iMessage and Facebook chat in its current form illegal. That is perfectly achievable technically and that is something a politico can and should do.

She may try to also specify reqs to commercial software, but that is going to die on technical grounds long before it gets anywhere near becoming law.

Nowhere for terrorists to hide

What she can decree and what she can refine the requirements towards providers for legal intercept to make Telegram, iMessage and Facebook chat in its current form illegal. That is perfectly achievable technically and that is something a politico can and should do.

As long as they outlaw whispering too. I am sure terrorists whisper to eachother. And curtains. Who knows what people get up to behind closed curtains.

What she can decree and what she can refine the requirements towards providers for legal intercept to make Telegram, iMessage and Facebook chat in its current form illegal. That is perfectly achievable technically and that is something a politico can and should do.

The problem with that is twofold:

1 - the direct impact of that is a two-lane world, with one lane using the now backdoored technology and all the consequences that that creates such as a near-immediate threat of ID theft and breaching of anything we would like to control such as Internet banking and Internet shopping (I don't have to explain why, that topic has been done to death over decades, and if said politician and her friends want to ignore that body of evidence, on her head the consequences will be). The other lane will sensibly continue to use decent crypto and be safe, but naturally assist law enforcement with investigations as much as POSSIBLE, not IMpossible. By the way, no guessing in which lane this politician herself will want to be in - I noticed a distinct trend there..

2 - there will be a growth of in-band encryption and obfuscation. WhatsApp (which I wouldn't trust anyway) and others could get an inside shim which takes a text and changes the contents. One time pads are an absolutely *ancient* idea that is easy to implement in software by means of dictionaries of even using an ebook that both parties have to independently download (the discovery of which will no doubt lead to the banning of ebooks as well, I guess). That aside, there will also be a lot of import from countries who couldn't care less, and with that will again come a lot of crime where people will use apps that have backdoors for other crooks (I never assume benign motives for politicians trying to mandate something against all sensible advice out there).

Either option is detrimental to democracy and freedom - so maybe she should state upfront that targeting that is her real aim. Let's skip the pretence, shall we? Will she also ban cars because they are increasingly used in lone man terrorist attacks? No? Why not? The arguments are no different..

No problem for banks, sorry

such as a near-immediate threat of ID theft and breaching of anything we would like to control such as Internet banking and Internet shopping

Actually there would be no effect on banks, they can encrypt the communications between them and the clients all they want, but as an organization a bank is already compelled to keep records, and provide them to investigators if ordered to do so by courts.

The law enforcement types are really only after end-to-end encryption between individual people, or people and shady organizations.

@Adam 52

Adam,

there is no such thing as EU law in the UK (or any country in the EU as such), what our Parliament does (as do others) is ENACT laws here that meet the requirements of a specific EU law - paraphrased a bit, hopefully you get the gist....

"[W]hat they are suggestig will essentially mean the end of the internet and telecommunications."

This really is quite silly. In fact, a great deal of communication still is either not encrypted or subject to delivery to a government in decrypted form based on a legal request such as a warrant or sometimes subpoena (US) or equivalent in other countries. Lawful telephone intercept has been in place for decades in the US and probably nearly everywhere else. Requiring lawful decryption capability will not end the Internet or telecommunications going forward any more than lawful intercept capability has done in the past.

On the other hand, requiring it is extremely unlikely to prevent use of publicly available encryption methods by individuals who consider the risk-reward trade-off favorable. Anyone thinking about using it for criminal purposes would rationally consider whether use of encryption not subject to legally ordered decryption will increase the probability of being detected or caught, or the penalty if caught.. They might also think of other methods to communicate secretly that do not raise similar issues. For everyone else, life will go on much the way it has since the invention of communication.

There are no serious technical impediments to producing and deploying a cryptosystem that would be subject to third party decryption. Key escrow systems, for example, have been known for decades at least. It may be unwise to use such a cryptosystem, and it may be comparatively easy to use readily available alternatives (possibly with penalties for use that one might need to evaluate), but incorrect claims that it is infeasible confuse and obscure the real issues.

You and who's army?

There are EU police forces but they tend to disguise themselves as national forces that work together in an association. The most obvious sort are the Gendarmerie, a force dedicated to maintaining public order. This of force that doesn't exist in England as a separate entity although there seems to be a part of the Met that performs this function in London.

Its stupid but I suppose they'll have to jail a few people for extended periods "pour encourager les autres".

main issue is extremely easy to use apps like whatsapp can make you invisible to tracking as it encrypts all communications by default,

now its harder for 3-4 letter agencies to just focus on people that are using encryption for hiding messages or been paranoid, before they only had to keep an eye on people using tor or sending scrambled/encrypted messages now just using whatsapp hides you with the other millions of people who use it which is really no good

if this act gets though the app makers won't make back doors they just simply turn of OTR in the messaging apps so they can be intercepted again and the people who have somthing to hide will likely use somthing els and get put on the monitoring list

i don't personally like that whatsapp have done by making OTR the default as they have made it very simple to use for any one doing bad stuff with no technical knowledge

Unfortunately

No it isn't moronic, it is the truth, well sort of.

No she doesn't control paramilitary police forces with ability to lock up without trial nor armies.

However the governments that she effectively instructs DO have these, and worse it is the governments that want to spy on everyone.... mainly to ensure that none of us snotty little prols dare to try and upset the rich get richer and you get screwed current political system. (It has nothing at all to do with terrorism or child porn, these are fig leaf excuses for the stupid)

I personally can't see the army of any country being involved (they are such a small number anyway and the British army don't possess enough bullets and shells to make a significant dent in London never mind elsewhere).

However I do see them using the police to enforce such barmy laws and there is already sufficient provision even in the UK to pretend the arrest might be somehow related to some mythical terrorist plot the details of which and the method of discovery of are too 'secret' to be shared (even with a media already muzzled from publishing 'secrets' like the MPs and councillors expense claims). If they pretend the arrest is to do with terrorism they can keep you as long as they like - or ship you out to the Americans for Guantanamo or similar.

I am white, getting long in the tooth I still remember the IRA blowing London every Christmas (not just once in 7 years) and we survived, we actually survived the dirty habits of the then tv, football and other over paid stars created by the media. I also remember that the BBC broadcast D-Day to the resistance without encryption and that the forerunner of gchq managed to break the ciphers that the Germans had been told couldn't be broken (probably by using exactly the tricks that gchq can still use on the things we are told are secure today).

This is about control, about fear, about keeping the masses at home watching collywobble street and not protesting about their lack of work and opportunity while the rich get on and take increasingly large amounts of wealth.

Ban manually steered cars as well...

The police are not bound by any laws when it does not suit the purposes of the powers that be. The WhatsApp aspect of the Bridge Of Death fairy tail is just there so they can get a back door into WhatsApp. The same thing happened with BBM after the 2010 city riots. BBM went off line for 2 weeks then came back with the back doors installed.

If there is a pattern that can be observed since the birth of the transistor, it is that whenever there is an attempt to control or block something, it takes years to legislate and in the meantime ten alternatives spring up in it's place. The government / police etc can't keep pace and they might as well give up trying to control it and accept that shit is gonna happen, that's the way the world works.

They can claim that some new law has had positive effect and 99.99% of people don't do something anymore because they know it's illegal but the truth is that the remaining 0.01% that still do are more determined to find a way around it so they go deeper underground and find another way around it while the lawmakers repeatedly play catchup-22 (see what I did there). And it's those 0.01% that they were targeting in the first place. So yeah, the control thing never really works.

So what happens when whatsapp are forced to implement a backdoor, the police get a court order to release a suspect's message history and they discover that they still can't decypher the juicy bits because the suspect encrypted their content once before posting it? Exactly the same as it is now, just one level deeper, that's what. No more information, no more leads, just a 99.99% bunch of decrypted cat pictures and "Look what I had for dinner" posts, and 0.01% suspected juicy bits but they can't find out anyway because the suspect already encrypted it before it went onto whatsapp.

So they go after the encryption software devs and force them to implement a backdoor. In the meantime 10 other alternatives are written and the government are still scratching their heads, but technically they will be in exactly the same relative position they were waaaaay back in the 80's.

It would be interested to see if the EC/UK/USA would support and defend Russia, China, Somalia, North Korea etc mandating a backdoor encryption into western products? They would only want it for the same reason after all - to fight *evil*.

Would this be the same backdoor that all these countries are given access to or would it be a separate backdoor form each (Swiss cheese method). Would it also include SSL, SSH etc and therefore provide these nations (as well as our own) access to communication links used by utilities and infrastructure?

This doesn't even need an effort to stop bad guys finding the back door, once the can of worms is opened how to you stop the "bad guys"* from being show the back door?

We promise it will only be used to Catch T's and P's...

Later when its forgotten it'll actually be used to round up Whistleblowers, Investigative-Journalists & Human-Rights-Activists etc... Why? Because slurping / snooping has been shown to be ineffective at catching T's & UK government officials 'disappeared' evidence of abuse by P's for decades!

Daily Fail?

What it will do is try to pacify politicians screaming "something must be done!" to appease Daily Fail-style readers all over Europe.

No need for Daily Fail here: we have plenty enough nonsense right here on El Reg[1]. Like the headline here, which turns out to be a story that a senior civil servant will bring forward a selection of proposals.

To see the significance of that, think of everyone's favourite civil servant Sir Humphrey doing the same. Then perhaps consider how much harder it's likely to be to manipulate 27 governments and public opinion in public than one minister behind closed doors. She's kicking it into the long grass.

Re: And how exactly will this stop unmonitored random nutters driving cars at people again?

What it will do is make it harder for the guys who groom and coerce vulnerable people into doing things like this getting away with it.

Like money laundering legislation, it will just affect normal people, and not make a jot of difference to the bad guys, since they will just put a little effort into circumventing it. And at the same time make us all a little bit less safe from unconstrained government snooping.

You also seem to be under the delusion that this will be used just for counter-terrorism. I suppose it is understandable since that is all the Government ever talks about, but if so, then why do you think that dozens and dozens of bodies, such as the Department of Work and Pensions, the Competition and Markets Authority, and the Gambling Commission, can legally access your communications data? Do you think that the Welsh Ambulance Services NHS Trust really have a role in "making it harder for the guys who groom and coerce vulnerable people into doing things like this getting away with it"?

Re: And how exactly will this stop unmonitored random nutters driving cars at people again?

"politicians and law enforcement insist they don't care how it's done"

And will go on "not caring" until someone raids their personal message stash and broadcasts their assorted crimes, infidelities and unusual sexual proclivities.

And I think we know there are going to be quite a few of all of the above amongst the assorted pols comms chatter.

This couldn't have anything to do with the idea that a backdoor would allow monitoring of anyone they like without them being aware of it and therefor eliminate the need for a search warrant that a number of European states (UK included) law enforcement agencies find so annoying, could it?

Re: No 6...

Re: No 6...

You really don't get it, do you. Whenever there's a problem that the Powers That Be _really_ want solved that has no good solution, only a choice between no solution and bad solution, the bad solution will end up getting applied, regardless of how bad it is, no exceptions. The denial permeating the place around here is astonishing - this is textbook xkcd "rubberhose cryptanalysis", only instead of a $5 wrench they'll throw the book at anyone who dares using strong encryption on anything, if that's what they want. "Maths" will not help you while you sit behind bars. Yes, I'm aware that is not what this article (or this "law") is about. It's only the next logical step once the this proves as ineffective as expected in preventing bad people from hurting other people.